Skip to content

Two-Axis Positioning Model

Understanding Your Strategic Starting Point

Rather than using traditional maturity models that assume linear progression, this framework positions software factories on two independent dimensions that determine your optimal security approach.

Why Not Maturity Models?

Traditional security maturity models imply everyone should follow the same path. SF² recognizes that a 10-person startup with modern cloud infrastructure shouldn't implement security the same way as a 5,000-person enterprise with legacy systems, even if both need strong security.

This is contingency theory applied to security: organizational research has held for decades that there is no single best way to organize, only the structure that fits an organization's environment, scale, and technology (Donaldson 2001; Horne, Maynard & Ahmad 2017). SF² carries that finding into security program design: your position, rather than your rung on a ladder everyone is told to climb, sets your strategy.

The Strategic Positioning Framework

Organizations can be assessed along two critical axes:

Blast Radius Axis (What a Failure Can Reach)

The horizontal axis is inherent blast radius: how far a failure could reach if containment fails, given everything your systems are allowed to do. It is set by the authority you have handed your automation and agents, rather than by how many people you employ. Headcount and team count were the old stand-in, and the stand-in held while a bigger system meant more people to run it. AI broke that correlation. A fifteen-person shop running fifty agents with broad tool access has the reach of an enterprise and the headcount of a studio, and a security strategy keyed to headcount cannot see the reach. So the axis names the reach directly.

Small reach: automation that touches one bounded surface, authority scoped per task, a worst-case failure contained to a single blast cell.

Large reach: automation that crosses trust boundaries (production, data, and identity at once), standing authority broad enough that one misused credential is an enterprise event, a worst-case failure that cascades across the estate.

Headcount survives here as a legacy proxy: it used to predict reach, and where a small team still holds small authority it still does. AI is what severs headcount from reach, and the axis follows the reach.

This is inherent reach, measured as if containment failed. What you build to stop a failure reaching that far, the boundary enforcement that holds a compromised component to the authority it was granted, is the other axis: readiness. Keeping the two apart is what keeps the model honest. Your reach is mostly what you have decided to let your systems do; your readiness is what you build to contain it. The containment floor that bounds the blast is the same boundary enforcement the coadaptive layer specifies at the substrate: this chapter names the position, that chapter builds the floor.

This runs asymmetrically, and the asymmetry is the point. A small shop can leap to large reach by granting fifty agents broad authority, but a large enterprise cannot shrink below its own surface area: inherent reach is the sum of every authority you have granted, and a big estate has granted a great deal. Past a certain scale that sum is simply large, and the horizontal axis stops telling enterprises apart. So the two ends of the model play different games. Small shops fight to stay on the left, one over-scoped agent fleet away from teleporting to Mass. Large enterprises take their reach as given and fight the vertical: the whole move is proving containment and climbing to Lean.

A test keeps the two axes from blurring. Place yourself in two sentences: a reach sentence using only the verbs of authority (what the automation can reach, is granted, is allowed to touch) and a readiness sentence using only the verbs of control (what is contained, caught, reviewed, segmented). If a containment word is carrying your reach claim, you have measured the wrong axis.

Operational Readiness Axis (How You Operate)

Lower Readiness:

  • Manual processes
  • Legacy infrastructure
  • Limited automation
  • Tribal knowledge
  • Reactive operations

Higher Readiness:

  • Automated pipelines
  • Modern infrastructure
  • API-driven operations
  • Documented processes
  • Proactive operations

The Four Strategic Positions

These two axes create four distinct strategic positions, each with different security approaches:

SF² two-axis positioning model A 2x2 matrix. The horizontal axis is Blast Radius, the inherent reach of a failure assuming containment fails, increasing from Small reach on the left to Large reach on the right. The vertical axis is Operational Readiness, with repeatability and proven containment rising from Lower at the bottom to Higher at the top. Four quadrants: Studio is Small reach plus Higher readiness (top left); Lean is Large reach plus Higher readiness (top right); Craft is Small reach plus Lower readiness (bottom left); Mass is Large reach plus Lower readiness (bottom right). The top row is the floor built: Studio is the ideal end state for small-reach organizations, Lean for large-reach organizations. Mass is Lean's large reach without Lean's floor: ungoverned scale rather than big batch. Studio Small reach + Higher readiness narrow grant, floor built Lean Large reach + Higher readiness broad grant, floor built Craft Small reach + Lower readiness narrow grant, by hand Mass Large reach + Lower readiness ungoverned reach, no floor Small reach Large reach Blast Radius (inherent reach, if containment fails) Lower Higher Operational Readiness (repeatability rising)
The horizontal axis is inherent blast radius (reach if containment fails); the vertical axis is operational readiness, repeatability and proven containment rising. Mass is Lean's large reach without Lean's floor: ungoverned scale rather than big batch.

Reading the two axes

The horizontal axis is blast radius: the inherent reach of a failure if containment fails, set by what authority your automation holds. The vertical axis is operational readiness: moving up means the work becomes more repeatable and a failure provably stays contained. The goal is the top row, the floor built, and it is one goal at two addresses: Studio if your reach is small, Lean if it is large. You do not choose your reach; the authority you have already granted sets it. The assessment below places you.

The names are production modes, about flow and containment

The four names map to production modes, and the analogy is about flow and containment rather than volume. Lean is the cleanest fit: Toyota's line stops the instant a defect appears so it cannot propagate, which is large flow contained by construction, exactly large reach with the floor built. Craft is the artisan touching one or two things by hand. Studio is the small, bounded, modern shop. Mass is Lean's large reach without Lean's floor: ungoverned scale rather than big batch. Under the reach axis the border that matters is against Lean rather than against Ford's assembly line.

Each position is drawn out in full on Four Strategic Positions: its characteristics, security approach, investment priorities, and common pitfalls. In short: Studio is small reach with the floor built, Lean is large reach with the floor built, Craft is small reach done by hand, and Mass is large reach with no floor under it. The top row is the goal at either reach; Craft and Mass are those same two reaches without the floor.

Assessing Your Position

Use these questions to determine your organization's position:

Blast Radius Assessment (inherent reach)

Question Small reach Large reach
Reach of most-capable automation: the largest set of systems any one automated actor (pipeline, agent, service account) can touch without a human in the loop? One bounded surface (single service/datastore) Crosses trust boundaries (prod + data + identity); org-wide
Worst-case propagation: if your single most-privileged non-human identity were fully compromised now, how far does damage reach before something not also compromised stops it? Contained to one blast cell Cascades across the estate
Autonomy depth: how much can automation do rather than merely read, without a human checkpoint (open and merge code, move money, grant access, drop data)? Read or propose only; humans commit consequential actions Acts and commits consequential actions unattended
Authority concentration: does any single credential, role, or agent hold standing authority broad enough that its misuse is an enterprise event? No; authority attenuated per task Yes; broad standing authority exists

If the answers are split

Reach is a sum, so it tips on the strongest answer. If any row above lands in the Large reach column, especially worst-case propagation or authority concentration, treat your reach as large. One broad grant is enough to put the whole estate in the blast.

Operational Readiness Assessment

Question Lower Readiness Higher Readiness
Containment verifiability: can you prove (not assert) that a compromised component cannot exceed the authority you granted it? No; you rely on it behaving Yes; enforced at the boundary
Deployment process? Manual Fully automated
Infrastructure? Legacy/on-prem Cloud-native/hybrid
Documentation? Tribal knowledge Comprehensive docs
Observability? Limited/reactive Comprehensive/proactive
Change velocity? Weeks/months Hours/days

Why This Matters for Security

Position is a sequencing and funding diagnostic rather than an architecture one. It does not decide whether you adopt the containment floor; every quadrant owes the same one. It decides how fast you reach it and what you fund first. Within that, your position determines:

  1. Funding order: Which security investments to make first, and which to defer
  2. Rollout pace: How fast you can stand up capabilities without outrunning the organization
  3. Timeline expectations: How long transformation realistically takes
  4. Mechanism fit: Which implementation meets the containment floor at your scale
  5. Success metrics: What good looks like at your stage

Common Mistake

Implementing Lean-level security programs in a Mass or Craft organization often leads to:

  • Failed tooling implementations
  • Frustrated security and development teams
  • Wasted budget on capabilities you never put to use
  • Security becoming a bottleneck instead of enabler

Strategic Movement Paths

Most organizations are working upward: building the floor under the reach they already hold. Small reach lands that climb in Studio; large reach lands it in Lean. The route depends on where they start. Every move, with its investments, timeline, and likelihood, is laid out on Strategic Movement Paths, which lays all six out in a summary table. The one worth naming here: Craft → Mass is drift rather than a strategy, reach that outran the floor. It is the move to guard against.

Using Position to Guide Security Strategy

The lists below are four sequences toward the same containment, each with tooling fit to its scale. Every quadrant owes deny-by-default limits on the authority review cannot police at scale; what changes below is the order of investment and the tooling that fits the operational reality. Each list is a funding order for your scale rather than the security you end up with.

For Studio:

  • Use cloud-native security services
  • Implement policy-as-code from inception
  • Build security into platform capabilities
  • Enable developer self-service

For Lean:

  • Orchestrate enterprise security architecture
  • Build internal security platforms
  • Optimize at scale with automation
  • Continuous security improvement programs

For Craft:

  • Focus on foundational security capabilities
  • Manual but systematic approaches
  • Gradual capability building
  • Use managed security services

For Mass:

  • Pragmatic hybrid security approaches
  • Risk-based prioritization (critical systems first)
  • Incremental modernization
  • Balance legacy and modern security capabilities

Next Steps

Now that you understand strategic positioning, explore the specific characteristics and recommended approaches for each position:

Explore Strategic Positions in Detail Learn About Movement Paths


Naming note (v0.5 → v0.6)

These four positions were named Visionaries, Leaders, Niche Players, and Challengers in v0.5. They are now Studio, Lean, Craft, and Mass. See the quadrant rename mapping for the full crosswalk and the reasoning behind the change.


Back to Universal Security Conditions